A new law introduces protections for citizens, including children, but exemptions from the rules for government agencies is concerning

The act has been six years in the making

On 11 August 2023, India finally published the Digital Personal Data Protection (DPDP) Act. The journey to the law began in 2017 and comes after a previous bill was withdrawn in 2019 over concerns from tech firms regarding its proposed restrictions on cross-border data flows. The DPDP Act is based on seven principles:

1. Consented, lawful and transparent use of personal data;

2. Purpose limitation (the use of personal data only for a specific purpose);

3. Data minimisation (the collection of only as much personal data as is necessary to serve that purpose);

4. Data accuracy (ensuring data is correct and updated);

5. Storage limitation (storing data only for as long as it is needed);

6. Reasonable security safeguards; and

7. Accountability (including penalties of up to INR2.5bn (£23.7m) for data breaches and infringements of the bill).

Right and obligations for individuals

The DPDP Act introduces some new terminology, such as: ‘Data Fiduciaries’ (people, companies and government entities who process data – data controllers and processors under the GDPR) and ‘Data Principals’ (the individual to which the data relates – the data subject under the GDPR). The law outlines a short set of rights for Data Principals (including access, correct and erasure, and grievance redressal), and imposes obligations on them, with potential fines for making a "false or frivolous" complaint about how their data is used. The act will allow companies to transfer some users' data abroad while giving the Government power to block the website or app of a Data Fiduciary on the advice of a new Data Protection Board of India. There are also a number of exemptions to the rules, particularly for state bodies that may be acting in the interests of national security, sovereignty or public order.

Criticisms over government exemptions and start-up costs

While some stakeholders, such as law firms, are cautiously welcoming the landmark act, it has drawn criticism from opposition lawmakers and civil society organisations over the scope of the exemptions. The Internet Freedom Foundation, a digital rights group, considers that the law puts in place a regime to facilitate the data processing activities of state and private actors, which will increase surveillance by government agencies. There are also concerns about the compliance costs for start-ups as Data Fiduciaries and the lack of strict international data transfer rules. The Act allows the free transfer of personal data outside India, except to countries blacklisted by the Government. While this may benefit some tech companies, it may not provide for adequate evaluation of data protection standards in the countries to which the transfer of data is allowed.

Specific provisions focus on children

The DPDP Act does, however, include specific safeguards to protect the personal data of children. A Data Fiduciary can only process this data with parental consent, while the law also prohibits processing that is detrimental to the wellbeing of children or involves their tracking, behavioural monitoring or targeted advertising. These provisions reflect initiatives taken by, or under development in, a number of countries in Europe to raise the minimum age at which tech firms can lawfully obtain the personal information of minors.